Skip to content

Commit 6b17a53

Browse files
authored
All: switch to non-report-only CSP headers (#71)
* miscweb: add connect-src exception for google fonts https://demos.jquerymobile.com/1.4.5/grids/ * All: switch to non-report-only CSP headers Closes gh-54
1 parent f14f7ac commit 6b17a53

File tree

4 files changed

+6
-5
lines changed

4 files changed

+6
-5
lines changed

hieradata/environments/production/roles/miscweb.yaml

+2-1
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,7 @@ profile::miscweb::sites:
2525
# script-src: load scripts from cdn.jsdelivr.net
2626
# script-src: load script from gd.geobytes.com
2727
# connect-src: connect to maps.googleapis.com
28+
# connect-src: fetch fonts from fonts.googleapis.com
2829
# img-src: data: for inline SVGs
2930
# img-src: load images from code.jquery.com
3031
# img-src: load images from maps.gstatic.com
@@ -34,7 +35,7 @@ profile::miscweb::sites:
3435
# style-src: load styles from cdn.jsdelivr.net
3536
# style-src: unsafe-inline for supports tests in
3637
# jQuery 1.7.3 and jQuery Mobile 1.3.0
37-
csp_header: default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' gd.geobytes.com code.jquery.com maps.google.com cdn.jsdelivr.net; connect-src 'self' maps.googleapis.com; img-src 'self' code.jquery.com maps.gstatic.com maps.google.com data:; style-src 'self' 'unsafe-inline' code.jquery.com fonts.googleapis.com cdn.jsdelivr.net; font-src 'self' fonts.gstatic.com; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint
38+
csp_header: default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' gd.geobytes.com code.jquery.com maps.google.com cdn.jsdelivr.net; connect-src 'self' maps.googleapis.com fonts.googleapis.com; img-src 'self' code.jquery.com maps.gstatic.com maps.google.com data:; style-src 'self' 'unsafe-inline' code.jquery.com fonts.googleapis.com cdn.jsdelivr.net; font-src 'self' fonts.gstatic.com; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint
3839
podcast.jquery.com:
3940
repository:
4041
name: jquery/podcast.jquery.com

modules/profile/templates/contentorigin/site.nginx.erb

+1-1
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ server {
1515

1616
# Add Content Security Policy headers
1717
add_header Reporting-Endpoints "csp-endpoint='https://csp-report-api.openjs-foundation.workers.dev/'";
18-
add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint";
18+
add_header Content-Security-Policy "default-src 'self'; script-src 'self' code.jquery.com; connect-src 'self'; img-src 'self'; style-src 'self'; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint";
1919

2020
location / {
2121
root /srv/www/content.jquery.com;

modules/profile/templates/gruntjscom/site.nginx.erb

+1-1
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,7 @@ server {
2121
add_header Reporting-Endpoints "csp-endpoint='https://csp-report-api.openjs-foundation.workers.dev/'";
2222
# script-src: add 'unsafe-eval' for the search functionality on gruntjs.com/plugins
2323
# Search will need to be reimplemented to remove this exception.
24-
add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src 'self'; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint" always;
24+
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval'; connect-src 'self'; img-src 'self'; style-src 'self'; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint" always;
2525
}
2626

2727
location /.well-known/acme-challenge {

modules/profile/templates/miscweb/site.nginx.erb

+2-2
Original file line numberDiff line numberDiff line change
@@ -21,13 +21,13 @@ server {
2121
# Add Content Security Policy headers
2222
add_header Reporting-Endpoints "csp-endpoint='https://csp-report-api.openjs-foundation.workers.dev/'";
2323
<%- if @site['csp_header'] -%>
24-
add_header Content-Security-Policy-Report-Only "<%= @site['csp_header'] %>";
24+
add_header Content-Security-Policy "<%= @site['csp_header'] %>";
2525
<%- else -%>
2626
# script-src: add 'wasm-unsafe-eval' for WebAssembly-driven search on
2727
# bugs.jquery.com, bugs.jqueryui.com, and plugins.jquery.com
2828
# img-src: allow secure.gravatar.com images on plugins.jquery.com
2929
# media-src: allow content.jquery.com media on podcast.jquery.com
30-
add_header Content-Security-Policy-Report-Only "default-src 'self'; script-src 'self' 'wasm-unsafe-eval' code.jquery.com; connect-src 'self'; img-src 'self' secure.gravatar.com; style-src 'self'; media-src 'self' content.jquery.com; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint";
30+
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'wasm-unsafe-eval' code.jquery.com; connect-src 'self'; img-src 'self' secure.gravatar.com; style-src 'self'; media-src 'self' content.jquery.com; report-uri https://csp-report-api.openjs-foundation.workers.dev/; report-to csp-endpoint";
3131
<%- end -%>
3232

3333
<%- if @site['allow_php'] -%>

0 commit comments

Comments
 (0)